alee/relicario
1
0
Fork 0
Code Issues Pull Requests 8 Actions Packages Projects Releases Wiki Activity
Files
9b38aac188122472e2a0caef1290023005e578ec
relicario/.claude/skills/product-expert/references/competitive-landscape.md
adlee-was-taken c3044ed5af feat(skills): add product-expert roadmap-audit + spec-review strategist 
A standalone, self-triggering skill that acts as Relicario's product
strategist: audits the roadmap and reviews freshly-brainstormed release
specs for product/market fit, emitting PM-ready relay directive blocks.
Advisory only — the user stays the decision-maker.

- Two modes: roadmap audit (default) and spec review (verdict:
  PROCEED / RESCOPE / CUT / PIVOT).
- Four-lens engine run as parallel subagents: ground-truth (verify
  claims vs code/git, distinguishing an in-flight lift from real drift),
  jobs-to-be-done, market/competitive, and strategy synthesis.
- Fast by default; `deep` adds live competitive web research.
- Durable by design: lenses read living docs (README/ROADMAP/STATUS/
  CHANGELOG/specs) at runtime, so new surfaces/segments/features are
  picked up automatically. The one static asset, competitive-landscape.md,
  carries a last-reviewed date + freshness protocol.
- Wires a post-brainstorm product gate into CLAUDE.md's Planning section.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01VQbgrP6KQW5pibjbPEoTSs
2026-06-20 22:30:48 -04:00

115 lines
6.0 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# Competitive landscape — password managers
> **last-reviewed: 2026-06-20.** This file is the only static, rot-prone asset in
> the skill (the four lenses otherwise read living docs at runtime). The market
> moves: competitors ship features, get breached, change pricing, appear, and
> die. Treat every claim below as "true as of last-reviewed, verify if it
> matters."
**Freshness protocol:**
- If `last-reviewed` is **more than ~6 months** before today, treat this file as
suspect: prefer running the market lens in **deep** mode (live web research)
over trusting the snapshot, and at the end of the run *offer to refresh this
file* (re-research the competitors, rewrite the entries, bump `last-reviewed`).
- Any time a **deep**-mode run surfaces something this file gets wrong or misses
(a new competitor, a shipped feature, a breach), offer to fold it back in and
bump the date. The cheat-sheet should improve every time it's proven stale.
A grounding cheat-sheet for the market lens in **fast** mode so it reasons from a
real map, not vibes.
The goal isn't to rank these for everyone — it's to locate Relicario's wedge
honestly: where the two-factor / self-host / git-backed / server-sees-ciphertext
thesis genuinely wins for the target user, and where Relicario is simply behind
on table stakes.
---
## The field
### Bitwarden
- Open-source, freemium, cloud-hosted by default; self-host possible (official
server is heavy; **vaultwarden** is the popular lightweight Rust reimpl).
- Single-factor KDF: master password (optionally with 2FA gating *login*, not the
KDF). Server breach entropy rests on the master password alone.
- Strong on: ubiquity, mature mobile + browser autofill, painless import/export,
organizations & sharing, low/zero price.
- The default thing a privacy-conscious technical user reaches for. **This is
Relicario's primary reference competitor** — most "why not just use X" pressure
comes from here (specifically self-hosted vaultwarden).
### vaultwarden
- Community Rust server compatible with Bitwarden clients; trivial to self-host
(single container). Inherits Bitwarden's polished clients for free.
- This is the sharpest comparison for Relicario's self-host story: a user who
wants self-hosted secrets already has a turnkey, full-featured option with
mobile apps and autofill. Relicario must justify what it adds *over* this.
### KeePassXC (+ KeePass ecosystem)
- Local-first, file-based (`.kdbx`), no server at all; sync is BYO (Dropbox,
Syncthing, git, etc.). Open-source, free.
- Single-factor by default but supports key files / hardware keys as a second
factor — conceptually the closest mainstream analog to Relicario's "something
you have" image secret (a key file is the unglamorous version of the stego
image).
- Strong on: zero-trust-server (there is no server), longevity, plugin ecosystem.
- Weak on: clunky cross-device sync, dated UX, mobile is third-party.
- The other user Relicario competes for: the "I don't trust any cloud" crowd.
### 1Password
- Commercial, polished, cloud-only (no self-host). **Two-factor KDF**: master
password + a 128-bit Secret Key — the mainstream product whose security model
is closest in spirit to Relicario's (two factors into the key derivation).
- Strong on: best-in-class UX, mobile, autofill, family/team sharing, support.
- Relevant because it proves the two-factor-KDF idea is marketable — but it does
it with a boring random Secret Key, not steganography, and gives up self-host.
### Proton Pass
- Newer, from Proton (Mail/VPN); privacy-positioned, cloud, freemium, open-source
clients. Single-factor KDF; leans on brand trust and the Proton bundle.
- Relevant as the "privacy brand" competitor — it wins on trust + ecosystem, not
on a novel crypto model.
### LastPass (cautionary tale, not a competitor to chase)
- Repeated breaches (notably 2022) where exfiltrated vaults were only as strong
as users' master passwords — the canonical argument *for* a second KDF factor.
- Useful in positioning: Relicario's README already uses LastPass as the "~4060
bits, single factor" baseline. The market lesson is real and on Relicario's
side, but invoking it is marketing, not differentiation.
---
## Where Relicario can win (the honest version)
- **Server-sees-only-ciphertext + no metadata** against a self-host backend that
still stores structured data. This is a genuine, explainable edge over
vaultwarden for the threat-model-literate user.
- **Two factors into the KDF** (not just 2FA on login) — only 1Password really
matches this, and it isn't self-hostable. That intersection (two-factor KDF +
self-host) is close to empty. That's the wedge.
- **Git as audit log** — "when was this rotated?" answered by `git log` and field
history. Niche, but unique and real for the audit-conscious user.
## Where Relicario is behind (table stakes to be honest about)
- **Mobile.** Bitwarden/1Password/Proton all have first-class mobile apps with
autofill. Relicario is CLI + browser extension; the Rust core compiles to ARM
but there's no shipped mobile client. For most users this alone is
disqualifying — weigh it heavily.
- **Autofill quality & breadth.** Browser-extension autofill maturity is a moat
the incumbents have spent years on.
- **Frictionless import** from the incumbents (Bitwarden, 1Password) — LastPass
CSV exists; the others are on the roadmap. Import friction is a real adoption
tax.
- **Sharing / multi-user polish.** The org-vault track is new; incumbents have
mature org/family sharing.
## The uncomfortable question to keep asking
For a user who wants self-hosted secrets, **vaultwarden already exists and is
turnkey with great clients.** Every Relicario feature should be weighed against:
"does this widen the gap on the thesis (two-factor KDF, no-metadata, git audit),
or is it just trying to catch up to vaultwarden on table stakes I'll never win?"
The strategy lens should treat *catching up to vaultwarden's client polish* and
*deepening the unique thesis* as different bets with very different ROI.
Reference in New Issue View Git Blame Copy Permalink